Skip to content

Commit

Permalink
[TASK] Anonymize token in Exception handlers
Browse files Browse the repository at this point in the history 
Log entries no longer contain specific tokens.
Instead, they are replaced with `--AnonymizedToken—`.

Resolves: #84502
Releases: master, 8.7
Change-Id: I42a8127cdccc904e8bbb82b5ea74b0e3d012586f
Reviewed-on: https://review.typo3.org/56419
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
  • Loading branch information
@liayn
Mathias Schreiber authored and liayn committed Mar 22, 2018
1 parent 2b7a75e commit 3289ee0
Show file tree
Hide file tree
Showing 3 changed files with 96 additions and 11 deletions.
17 changes: 15 additions & 2 deletions typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
View file
Expand Up @@ -16,6 +16,7 @@

use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\Utility\HttpUtility;

/**
* An abstract exception handler
Expand Down Expand Up @@ -64,7 +65,7 @@ protected function writeLogEntries(\Throwable $exception, $context)
$logMessage = 'Uncaught TYPO3 Exception: ' . $exceptionCodeNumber . $exception->getMessage() . ' | '
. get_class($exception) . ' thrown in file ' . $filePathAndName . ' in line ' . $exception->getLine();
if ($context === 'WEB') {
$logMessage .= '. Requested URL: ' . GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL');
$logMessage .= '. Requested URL: ' . $this->anonymizeToken(GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL'));
}
$backtrace = $exception->getTrace();
// Write error message to the configured syslogs
Expand Down Expand Up @@ -141,7 +142,7 @@ protected function sendStatusHeaders(\Throwable $exception)
if (method_exists($exception, 'getStatusHeaders')) {
$headers = $exception->getStatusHeaders();
} else {
$headers = [\TYPO3\CMS\Core\Utility\HttpUtility::HTTP_STATUS_500];
$headers = [HttpUtility::HTTP_STATUS_500];
}
if (!headers_sent()) {
foreach ($headers as $header) {
Expand All @@ -157,4 +158,16 @@ protected function getBackendUser()
{
return $GLOBALS['BE_USER'];
}

/**
* Replaces the generated token with a generic equivalent
*
* @param string $requestedUrl
* @return string
*/
protected function anonymizeToken(string $requestedUrl): string
{
$pattern = '/(?<=[tT]oken=)[0-9a-fA-F]{40}/';
return preg_replace($pattern, '--AnonymizedToken--', $requestedUrl);
}
}
21 changes: 12 additions & 9 deletions typo3/sysext/core/Tests/Unit/Core/ApplicationContextTest.php
View file
@@ -1,15 +1,18 @@
<?php
namespace TYPO3\CMS\Core\Tests\Unit\Core;

/* *
* This script belongs to the TYPO3 Flow framework. *
* *
* It is free software; you can redistribute it and/or modify it under *
* the terms of the GNU Lesser General Public License, either version 3 *
* of the License, or (at your option) any later version. *
* *
* The TYPO3 project - inspiring people to share! *
* */
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

use TYPO3\CMS\Core\Core\ApplicationContext;

Expand Down
69 changes: 69 additions & 0 deletions typo3/sysext/core/Tests/Unit/Error/AbstractExceptionHandlerTest.php
View file
@@ -0,0 +1,69 @@
<?php
declare(strict_types=1);
namespace TYPO3\CMS\Core\Tests\Unit\Error;

/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

use TYPO3\CMS\Core\Error\AbstractExceptionHandler;
use TYPO3\TestingFramework\Core\Unit\UnitTestCase;

/**
* Testcase for the AbstractExceptionHandlerTest class
*/
class AbstractExceptionHandlerTest extends UnitTestCase
{
/**
* Data provider with allowed contexts.
*
* @return array
*/
public function exampleUrlsForTokenAnonymization(): array
{
return [
'url with valid token' => [
'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36',
'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--'
],
'url with valid token in the middle' => [
'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36&param=asdf',
'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--&param=asdf'
],
'url with invalid token' => [
'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8/e',
'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8/e',
],
'url with empty token' => [
'http://localhost/typo3/index.php?M=foo&moduleToken=',
'http://localhost/typo3/index.php?M=foo&moduleToken=',
],
'url with no token' => [
'http://localhost/typo3/index.php?M=foo',
'http://localhost/typo3/index.php?M=foo',
],
];
}

/**
* @test
* @dataProvider exampleUrlsForTokenAnonymization
* @param string $originalUrl
* @param string $expectedUrl
*/
public function anonymizeTokenReturnsCorrectModifiedUrl(string $originalUrl, string $expectedUrl)
{
$mock = $this->getAccessibleMockForAbstractClass(AbstractExceptionHandler::class, ['dummy']);
$anonymizedUrl = $mock->_call('anonymizeToken', $originalUrl);
$this->assertSame($expectedUrl, $anonymizedUrl);
}
}

0 comments on commit 3289ee0

Please sign in to comment.